Vulnerability

    cdmount

Affected

    AIX

Description

    Following is based on Internet Security Systems Security Advisory.
    The  AIX  cdmount  program  allows  regular  users to mount CD-ROM
    filesystems.  This program is basically a SUID to root wrapper  of
    the mount command.  Insecure handling of the arguments to  cdmount
    may allow a local regular user to execute commands as root.  Local
    users may gain root privileges.

    Affected systems are AIX systems with the LPP UMS.objects  2.3.0.0
    and below installed.   Use the command  'lslpp -l UMS.objects'  to
    verify if a vulnerable version is installed.

    The cdmount program  is part of  the AIX UltiMedia  Services (UMS)
    package. UMS provides multimedia applications to AIX workstations.
    The cdmount program is normally used as a helper to UMS multimedia
    players.  It has SUID  root permissions to allow regular  users to
    mount a  CD-ROM.   The system()library  subroutine is  used within
    cdmount  to  invoke  the  mount  program..  This subroutine spawns
    a shell to  execute the mount  command with arguments  provided by
    the user.  An attacker  may execute arbitrary commands as  root by
    calling cdmount with arguments containing shell metacharacters.

Solution

    ISS recommends removing the SUID bit from cdmount by executing the
    following command:

        # chmod 555 /usr/lpp/UMS/bin/cdmount

    IBM  is  currently  working  on  the  following  APAR  (Authorized
    Problem Analysis Report), which will be available soon:

        APAR 4.3.x:  IY10903

    Until the official fix is available, if UMS is not being used  IBM
    recommends uninstalling UMS or removing the SUID bit from cdmount.
    APARs  may  be  ordered  using  Electronic  Fix  Distribution (via
    FixDist) or from the IBM Support Center.